Information Security, Web, Networks and Systems

Thursday, April 17, 2014

Configuring Secure IIS Response Headers in ASP.NET MVC

In a previous post I talked about how to configure a secure response in Apache by adding secure response headers (such as X-Frame-Options, X-XSS-Protection etc) and omitting headers that disclose internal implementation and technical details of the apache web server (such as X-Powered-By). In this post, I will talk about how to do this in an ASP.NET MVC web application. Instead of configuring these settings in the IIS server, this time I'm going to do this in the ASP.NET code itself since it gives more flexibility and does not affect other applications hosted on the same IIS server.

Using Anti Forgery Tokens with AJAX in ASP.NET

As you know, we can use anti forgery tokens to prevent Cross Site Request Forgery. Usually we add an anti forgery token in a hidden form field of the form. Each time we post the form to the server, server validates the request using the token in the hidden form field and the other one which is sent as a Cookie. See this post in my blog for more detailed information.
              But when we use AJAX to post data to the server asynchronously, we do not use forms most of the times. In those cases we explicitely need to attach the anti forgery token to our data which is sent via ajax. We can do this by some simple javascript.